Confirmed for at least UUID tokens in master branch (as of 240d6b41a04f1d24f9bfe36d4da3a57512bb80de). Current master branch requires a slightly different patch than the above due to recent refactoring, but it's a similar one-liner.

Not clear on the history of this issue yet or if PKI tokens are affected.

Attached patch for master branch that fixes the issue for UUID tokens and tests for the issue using both UUID & PKI tokens. However, the patch also includes an unrelated bugfix allowing for tokens w/o metadata that I'd specifically like ayoung to review and that we may need to track separately.

Description:
$CREDIT reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support UUID tokens.

Description:
Anndy reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support PKI tokens.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.